MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3 CONTENTS

(1)

MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3

The industry’s serial de facto standard since 1979, MOD BUS continues to enable millions of automation devices to communicate. Today, support for the simple and elegant structure of MODBUS continues to grow. The Internet community can access MODBUS at a reserved system port 502 on the TCP/IP stack.

MODBUS is a request/reply protocol and offers services specified by function codes.

MODBUS function codes are elements of MODBUS request/reply PDUs. The objective of this document is to describe the function codes used within the framework of MODBUS transactions.

MODBUS is an application layer messaging protocol for client/server communication between devices connected on different types of buses or networks.

It is currently implemented using:

 TCP/IP over Ethernet. See MODBUS Messaging Implementation Guide V1.0a.

 Asynchronous serial transmission over a variety of media (wire : EIA/TIA -232-E, EIA-422, EIA/TIA-485-A; fiber, radio, etc.)

 MODBUS PLUS, a high speed token passing network.

TCP Modbus on TCP MODBUS APPLICATION LAYER

IP

Ethernet Physical layer Ethernet II /802.3 EIA/TIA-232 or

EIA/TIA-485 Master / Slave Physical layer

MODBUS+ / HDLC Other

Other

Figure 1: MODBUS communication stack

References

1. RFC 791, Internet Protocol, Sep81 DARPA 2 Abbreviations

ADU Application Data Unit HDLC High level Data Link Control HMI Human Machine Interface IETF Internet Engineering Task Force I/O Input/Output

IP Internet Protocol MAC Media Access Control MB MODBUS Protocol

(3)

MBAP MODBUS Application Protocol PDU Protocol Data Unit

PLC Programmable Logic Controller TCP Transmission Control Protocol 3 Context

The MODBUS protocol allows an easy communication within all types of network architectures.

Figure 2: Example of MODBUS Network Architecture

Every type of devices (PLC, HMI, Control Panel, Driver, Motion control, I/O Device…) can use MODBUS protocol to initiate a remote operation.

The same communication can be done as well on serial line as on an Ethernet TCP/IP networks. Gateways allow a communication between several types of buses or network using the MODBUS protocol.

4 General description

4.1 Protocol description

The MODBUS protocol defines a simple protoc ol data unit (PDU) independent of the underlying communication layers. The mapping of MODBUS protocol on specific buses or network can introduce some additional fields on the application data unit (ADU).

Additional address Function code Data Error check

ADU

PDU

Figure 3: General MODBUS frame

PLC HMI I/ O I/ O PLC

Drive I/ O

MODBUS ON TCP/IP

Gateway Gateway Gateway

MODBUS ON MB+ MODBUS ON RS232 MODBUS ON RS485

Device

HMI

PLC PLC

Drive I/ O I/ O

I/ O I/ O

Device

MODBUS COMMUNICATION

(4)

The MODBUS application data unit is built by the client that initiates a MODBUS transaction.

The function indicates to the server what kind of action to perform. The MODBUS application protocol establishes the format of a request initiated by a client.

The function code field of a MODBUS data unit is coded in one byte. Valid codes are in the range of 1 ... 255 decimal (the range 128 – 255 is reserved and used for exception responses). When a message is sent from a Client to a Server device the function code field tells the server what kind of action to perform. Function code "0" is not valid.

Sub-function codes are added to some function codes to define multiple actions.

The data field of messages sent from a client to server devices contains additional information that the server uses to take the action defined by the function code. This can include items like discrete and register addresses, the quantity of items to be handled, and the count of actual data bytes in the field.

The data field may be nonexistent (of zero length) in certain kinds of requests, in this case the server does not require any additional information. The function code alone specifies the action.

If no error occurs related to the MODBUS function requested in a properly received MODBUS ADU the data field of a response from a server to a client contains the data requested. If an error related to the MODBUS function requested occurs, the field contains an exception code that the server application can use to determine the next action to be taken.

For example a client can read the ON / OFF states of a group of discrete outputs or inputs or it can read/write the data contents of a group of registers.

When the server responds to the client, it uses the function code field to indicate either a normal (error-free) response or that some kind of error occurred (called an exception response). For a normal response, the server simply echoes to the request the original function code.

Function code Data Request

Client Server

Initiate request

Perform the action Initiate the response

Receive the response

Function code Data Response

Figure 4: MODBUS transaction (error free)

For an exception response, the server returns a code that is equivalent to the original function code from the request PDU with its most significant bit set to logic 1.

Figure 5: MODBUS transaction (exception response)

Client Server

Initiate request

Error detected in the action Initiate an error

Exception Function code

Receive the response Exception code

Function code Data Request

(5)



Note: It is desirable to manage a time out in order not to indefinitely wait for an answer which will perhaps never arrive.

The size of the MODBUS PDU is limited by the size constraint inherited from the first MODBUS implementation on Serial Line network (max. RS485 ADU = 256 bytes).

Therefore:

MODBUS PDU for serial line communication = 256 - Server address (1 byte) - CRC (2 bytes) = 253 bytes.

Consequently:

RS232 / RS485 ADU = 253 bytes + Server address (1 byte) + CRC (2 bytes) = 256 bytes.

TCP MODBUS ADU = 253 bytes + MBAP (7 bytes) = 260 bytes.

The MODBUS protocol defines three PDUs. They are :

 MODBUS Request PDU, mb_req_pdu

 MODBUS Response PDU, mb_rsp_pdu

 MODBUS Exception Response PDU, mb_excep_rsp_pdu

The mb_req_pdu is defined as:

mb_req_pdu = {function_code, request_data}, where function_code = [1 byte] MODBUS function code,

request_data = [n bytes] This field is function code dependent and usually contains information such as variable references,

variable counts, data offsets, sub-function codes etc.

The mb_rsp_pdu is defined as:

mb_rsp_pdu = {function_code, response_data}, where function_code = [1 byte] MODBUS function code

response_data = [n bytes] This field is function code dependent and usually contains information such as variable references,

variable counts, data offsets, sub-function codes, etc.

The mb_excep_rsp_pdu is defined as:

mb_excep_rsp_pdu = {exception-function_code, request_data}, where exception-function_code = [1 byte] MODBUS function code + 0x80 exception_code = [1 byte] MODBUS Exception Code Defined in table "MODBUS Exception Codes" (see section 7 ).

4.2 Data Encoding

 MODBUS uses a ‘big-Endian’ representation for addresses and data items. This means that when a numerical quantity larger than a single byte is transmitted, the most significant byte is sent first. So for example

Register size value

16 - bits 0x1234 the first byte sent is 0x12 then 0x34



Note: For more details, see [1] .

(6)

4.3 MODBUS Data model

MODBUS bases its data model on a series of tables that have distinguishing characteristics.

The four primary tables are:

Primary tables Object type Type of access

Comments

Discretes Input Single bit Read-Only This type of data can be provided by an I/O system.

Coils Single bit Read-Write This type of data can be alterable by an application program.

Input Registers 16-bit word Read-Only This type of data can be provided by an I/O system Holding Registers 16-bit word Read-Write This type of data can be alterable by an application

program.

The distinctions between inputs and outputs, and between bit -addressable and word- addressable data items, do not imply any application behavior. It is perfectly acceptable, and very common, to regard all four tables as overlaying one another, if this is the most natural interpretation on the target machine in question.

For each of the primary tables, the protocol allows individual selection of 65536 data items, and the operations of read or write of those items are designed to span multiple consecutive data items up to a data size limit which is dependent on the transaction function code.

It’s obvious that all the data handled via MODBUS (bits, registers) must be located in device application memory. But physical address in memory should not be confused with data reference. The only requirement is to link data reference with physical address.

MODBUS logical reference numbers, which are used in MODBUS funct ions, are unsigned integer indices starting at zero.

 Implementation examples of MODBUS model

The examples below show two ways of organizing the data in device. There are different organizations possible, but not all are described in this document. Each de vice can have its own organization of the data according to its application

Example 1 : Device having 4 separate blocks

The example below shows data organization in a device having digital and analog, inputs and outputs. Each block is separate because dat a from different blocks have no correlation. Each block is thus accessible with different MODBUS functions.

Input Discrete MODBUS access Device application memory

MODBUS SERVER DEVICE

MODBUS Request Coils

Input Registers

Holding Registers

Figure 6 MODBUS Data Model with separate block

(7)

Example 2: Device having only 1 block

In this example, the device has only 1 data block. The same data can be reached via several MODBUS functions, either via a 16 bit access or via an access bit.

Device application memory

MODBUS SERVER DEVICE

MODBUS Request Input Discrete

MODBUS access

Coils Input Registers

Holding Registers R

W

R

W

Figure 7 MODBUS Data Model with only 1 block

4.4 MODBUS Addressing model

The MODBUS application protocol defines precisely PDU addressing rules.

In a MODBUS PDU each data is addressed from 0 to 65535.

It also defines clearly a MODBUS data model composed of 4 blocks that comprises several elements numbered from 1 to n.

In the MODBUS data Model each element within a data block is numbered from 1 to n.

Afterwards the MODBUS data model has to be bound to the device application ( IEC -61131 object, or other application model).

The pre-mapping between the MODBUS data model and the device application is totally vendor device specific.

(8)

Figure 8 MODBUS Addressing model

The previous figure shows that a MODBUS data numbered X is addressed in the MODBUS PDU X-1.

4.5 Define MODBUS Transaction

The following state diagram describes the generic processing of a MODBUS transaction in server side.

Discrete Input

Coils

Input Registers

Holding Registers MODBUS data model Device application

1 . . . 1 . 5 .

1 2 .

MODBUS PDU addresses

1 . .

55 Read Registers 54 Read Registers 1

Read coils 4 Read input 0

MODBUS Standard Application specific

Mapping

(9)

V

Validate function code

Validate data value

ExceptionCode = 3 Wait for a MB indication

ExceptionCode = 2 ExeptionCode = 1

Send Modbus Exception

Response

ExceptionCode = 4, 5, 6

Execute MB function

Send Modbus Response

Validate data Address

[invalid]

[valid]

[invalid]

[valid]

[Receive MB indication]

Figure 9 MODBUS Transaction state diagram

Once the request has been processed by a server, a MODBUS response using the adequate MODBUS server transaction is built.

Depending on the result of the processing two types of response are built :

 A positive MODBUS response :

 the response function code = the request function code

 A MODBUS Exception response ( see section 7 ):

 the objective is to provide to the client relevant information concerning the error detected during the processing ;

 the exception function code = the request function code + 0x80 ;

 an exception code is provided to indicate the reason of the error.

(10)

5 Function Code Categories

There are three categories of MODBUS Functions codes. They are :

Public Function Codes

 Are well defined function codes ,

 guaranteed to be unique,

 validated by the MODBUS.org community,

 publicly documented

 have available conformance test,

 includes both defined public assigned function codes as well as unassigned function codes reserved for future use.

User-Defined Function Codes

 there are two ranges of user-defined function codes, i.e. 65 to 72 and from 100 to 110 decimal.

 user can select and implement a function code that is not supported by the specification.

 there is no guarantee that the use of the selected function code will be unique

 if the user wants to re-position the functionality as a public function code, he must initiate an RFC to introduce the change into the public category and to have a new public function code assigned.

 MODBUS Organization, Inc expressly reserves the right to develop the proposed RFC.

Reserved Function Codes

 Function Codes currently used by some companies for legacy products and that are not available for public use.

 Informative Note: The reader is asked refer to Annex A (Informative) MODBUS RESERVED FUNCTION CODES, SUBCODES AND MEI TYPES.

Figure 10 MODBUS Function Code Categories

User Defined Function codes

1 65 100 110

72

User Defined Function codes

PUBLIC function codes PUBLIC function codes

PUBLIC function codes

127

(11)

5.1 Public Function Code Definition

Function Codes code Sub

code

(hex) Section

Data Access

Bit access

Physical Discrete Inputs

Read Discrete Inputs 02 02 6.2

Internal Bits Or Physical coils

Read Coils 01 01 6.1

Write Single Coil 05 05 6.5

Write Multiple Coils 15 0F 6.11

16 bits access

Physical Input Registers

Read Input Register 04 04 6.4

Internal Registers Or

Physical Output Registers

Read Holding Registers 03 03 6.3

Write Single Register 06 06 6.6

Write Multiple Registers 16 10 6.12

Read/Write Multiple Registers 23 17 6.17

Mask Write Register 22 16 6.16

Read FIFO queue 24 18 6.18

File record access

Read File record 20 14 6.14

Write File record 21 15 6.15

Diagnostics

Read Exception status 07 07 6.7

Diagnostic 08 00-18,20 08 6.8

Get Com event counter 11 OB 6.9

Get Com Event Log 12 0C 6.10

Report Server ID 17 11 6.13

Read device Identification 43 14 2B 6.21 Other Encapsulated Interface

Transport

43 13,14 2B 6.19 CANopen General Reference 43 13 2B 6.20

6 Function codes descriptions

6.1 01 (0x01) Read Coils

This function code is used to read from 1 to 2000 contiguous status of coils in a remote device. The Request PDU specifies the starting address, i.e. the address of the first coil specified, and the number of coils. In the PDU Coils are addressed starting at zero. Therefore coils numbered 1-16 are addressed as 0-15.

The coils in the response message are packed as one coil per bit of the data field. Status is indicated as 1= ON and 0= OFF. The LSB of the first data byte contains the output addressed in the query. The other coils follow toward the high order end of this byte, and from low order to high order in subsequent bytes.

If the returned output quantity is not a multiple of eight, the remaining bits in the final data byte will be padded with zeros (toward the high order end of the byte). The Byte Count field specifies the quantity of complete bytes of data.

Request

Function code 1 Byte 0x01

Starting Address 2 Bytes 0x0000 to 0xFFFF Quantity of coils 2 Bytes 1 to 2000 (0x7D0) Response

Byte count 1 Byte N*

Coil Status n Byte n = N or N+1

(12)

*N = Quantity of Outputs / 8, if the remainder is different of 0  N = N+1 Error

Function code 1 Byte Function code + 0x80

Exception code 1 Byte 01 or 02 or 03 or 04

Here is an example of a request to read discrete outputs 20–38:

Request Response

Field Name (Hex) Field Name (Hex)

Function 01 Function 01

Starting Address Hi 00 Byte Count 03

Starting Address Lo 13 Outputs status 27-20 CD

Quantity of Outputs Hi 00 Outputs status 35-28 6B Quantity of Outputs Lo 13 Outputs status 38-36 05

The status of outputs 27–20 is shown as the byte value CD hex, or binary 1100 1101. Output 27 is the MSB of this byte, and output 20 is the LSB.

By convention, bits within a byte are shown with the MSB to the left, and the LSB to the right.

Thus the outputs in the first byte are ‘27 through 20’, from left to right. The next byte has outputs ‘35 through 28’, left to right. As the bits are transmitted serially, they flow from LSB to MSB: 20 . . . 27, 28 . . . 35, and so on.

In the last data byte, the status of outputs 38 -36 is shown as the byte value 05 hex, or binary 0000 0101. Output 38 is in the sixth bit position from the left, and output 36 is the LSB of this byte. The five remaining high order bits are zero filled.



Note: The five remaining bits (toward the high order end) are zero filled.

MB Server Sends mb_exception_rsp EXIT

MB Server receives mb_req_pdu

ExceptionCode = 01 YES

NO

ENTRY

ReadDiscreteOutputs == OK

MB Server Sends mb_rsp NO

YES 0x0001  Quantity of Outputs  0x07D0

Function code supported

Starting Address == OK AND

Starting Address + Quantity of Outputs == OK

ExceptionCode = 04

Request Processing

Figure 11: Read Coils state diagram

6.2 02 (0x02) Read Discrete Inputs

This function code is used to read from 1 to 2000 contiguous status of discrete inputs in a remote device. The Request PDU specifies the starting address, i.e. the address of the first

(13)

input specified, and the number of inputs. In the PDU Discrete Inputs a re addressed starting at zero. Therefore Discrete inputs numbered 1-16 are addressed as 0-15.

The discrete inputs in the response message are packed as one input per bit of the data field.

Status is indicated as 1= ON; 0= OFF. The LSB of the first data byte contains the input addressed in the query. The other inputs follow toward the high order end of this byte, and from low order to high order in subsequent bytes.

If the returned input quantity is not a multiple of eight, the remaining bits in the final d ata byte will be padded with zeros (toward the high order end of the byte). The Byte Count field specifies the quantity of complete bytes of data.

Request

Starting Address 2 Bytes 0x0000 to 0xFFFF Quantity of Inputs 2 Bytes 1 to 2000 (0x7D0)

Response

Byte count 1 Byte N*

Input Status N* x 1 Byte

*N = Quantity of Inputs / 8 if the remainder is different of 0  N = N+1 Error

Error code 1 Byte 0x82

Here is an example of a request to read discrete inputs 197 – 218:

Starting Address Lo C4 Inputs Status 204-197 AC

Quantity of Inputs Hi 00 Inputs Status 212-205 DB Quantity of Inputs Lo 16 Inputs Status 218-213 35

The status of discrete inputs 204–197 is shown as the byte value AC hex, or binary 1010 1100. Input 204 is the MSB of this byte, and input 197 is the LSB.

The status of discrete inputs 218–213 is shown as the byte value 35 hex, or binary 0011 0101.

Input 218 is in the third bit position from the left, and input 213 is the LSB.



Note: The two remaining bits (toward the high order end) are zero filled.

(14)

MB Server Sends mb_exception_rsp EXIT MB Server receives mb_req_pdu

NO

ENTRY

ReadDiscreteInputs == OK

YES 0x0001  Quantity of Inputs  0x07D0

Starting Address + Quantity of Inputs == OK

ExceptionCode = 04

Request Processing

Figure 12: Read Discrete Inputs state diagram

(15)

6.3 03 (0x03) Read Holding Registers

This function code is used to read the contents of a contiguous block of holding registers in a remote device. The Request PDU specifies the starting r egister address and the number of registers. In the PDU Registers are addressed starting at zero. Therefore registers numbered 1-16 are addressed as 0-15.

The register data in the response message are packed as two bytes per register, with the binary contents right justified within each byte. For each register, the first byte contains the high order bits and the second contains the low order bits.

Request

Starting Address 2 Bytes 0x0000 to 0xFFFF Quantity of Registers 2 Bytes 1 to 125 (0x7D) Response

Byte count 1 Byte 2 x N*

Register value N* x 2 Bytes

*N = Quantity of Registers Error

Here is an example of a request to read registers 108 – 110:

Starting Address Lo 6B Register value Hi (108) 02 No. of Registers Hi 00 Register value Lo (108) 2B No. of Registers Lo 03 Register value Hi (109) 00 Register value Lo (109) 00 Register value Hi (110) 00 Register value Lo (110) 64

The contents of register 108 are shown as the two byte values of 02 2B hex, or 555 decimal.

The contents of registers 109–110 are 00 00 and 00 64 hex, or 0 and 100 decimal, respectively.

(16)

MB Server Sends mb_exception_rsp EXIT MB Server receives mb_req_pdu

NO

ENTRY

ReadMultipleRegisters == OK

YES 0x0001  Quantity of Registers  0x007D

Starting Address + Quantity of Registers == OK

ExceptionCode = 04

Request Processing

Figure 13: Read Holding Registers state diagram

6.4 04 (0x04) Read Input Registers

This function code is used to read from 1 to 125 contiguous input registers in a remote device.

The Request PDU specifies the starting register address and the number of registers. In the PDU Registers are addressed starting at zero. Therefore input registers n umbered 1-16 are addressed as 0-15.

The register data in the response message are packed as two bytes per register, with the binary contents right justified within each byte. For each register, the first byte contains the high order bits and the second contains the low order bits.

Request

Starting Address 2 Bytes 0x0000 to 0xFFFF Quantity of Input Registers 2 Bytes 0x0001 to 0x007D Response

Byte count 1 Byte 2 x N*

Input Registers N* x 2 Bytes

*N = Quantity of Input Registers Error

Exception code 1 Byte 01 or 02 or 03 or 04 Here is an example of a request to read input register 9:

Starting Address Lo 08 Input Reg. 9 Hi 00

Quantity of Input Reg. Hi 00 Input Reg. 9 Lo 0A

(17)

Quantity of Input Reg. Lo 01

The contents of input register 9 are shown as the two byte values of 00 0A hex, or 10 decimal.

MB Server Sends mb_exception_rsp EXIT

NO

ENTRY

ReadInputRegisters == OK

YES 0x0001  Quantity of Registers  0x007D

Starting Address + Quantity of Registers == OK

ExceptionCode = 04

Request Processing

Figure 14: Read Input Registers state diagram

6.5 05 (0x05) Write Single Coil

This function code is used to write a single output to either ON or OFF in a remote device.

The requested ON/OFF state is specified by a constant in the request data field. A value of FF 00 hex requests the output to be ON. A value of 00 00 requests it to be OFF. All other values are illegal and will not affect the output.

The Request PDU specifies the address of the coil to be forced. Coils are addressed starting at zero. Therefore coil numbered 1 is addressed as 0. The requested ON/OFF state is specified by a constant in the Coil Value field. A value of 0XFF00 requests the coil to be ON.

A value of 0X0000 requests the coil to be off. All other values are illegal and will not affect the coil.

The normal response is an echo of the request, returned after the coil state has been written.

Request

Output Address 2 Bytes 0x0000 to 0xFFFF

Output Value 2 Bytes 0x0000 or 0xFF00

Response

Output Address 2 Bytes 0x0000 to 0xFFFF

(18)

Output Value 2 Bytes 0x0000 or 0xFF00 Error

Here is an example of a request to write Coil 173 ON:

Output Address Hi 00 Output Address Hi 00

Output Address Lo AC Output Address Lo AC

Output Value Hi FF Output Value Hi FF

Output Value Lo 00 Output Value Lo 00

(19)

MB Server Sends mb_exception_rsp EXIT ExceptionCode = 04

NO

ExceptionCode = 02

YES NO

ENTRY

WriteSingleOutput == OK

YES Output Value == 0x0000

OR 0xFF00 Function code

supported

Output Address == OK

Request Processing

Figure 15: Write Single Output state diagram

6.6 06 (0x06) Write Single Register

This function code is used to write a single holding register in a remote device.

The Request PDU specifies the address of the register to be written. Registers are addressed starting at zero. Therefore register numbered 1 is addressed as 0.

The normal response is an echo of the request, returned after the register contents have been written.

Request

Register Address 2 Bytes 0x0000 to 0xFFFF

Register Value 2 Bytes 0x0000 to 0xFFFF

Response

Register Address 2 Bytes 0x0000 to 0xFFFF

Register Value 2 Bytes 0x0000 to 0xFFFF

Error

Exception code 1 Byte 01 or 02 or 03 or 04 Here is an example of a request to write register 2 to 00 03 hex:

Register Address Hi 00 Register Address Hi 00

Register Address Lo 01 Register Address Lo 01

Register Value Hi 00 Register Value Hi 00

Register Value Lo 03 Register Value Lo 03

(20)

NO

ExceptionCode = 02

YES NO

ENTRY

WriteSingleRegister == OK

YES 0x0000  Register Value  0xFFFF

Register Address == OK

Request Processing

Figure 16: Write Single Register state diagram

6.7 07 (0x07) Read Exception Status (Serial Line only)

This function code is used to read the contents of eight Exception Status outputs in a remote device.

The function provides a simple method for accessing this information, because the Exception Output references are known (no output reference is needed in the function).

The normal response contains the status of the eight Exception Status outputs. The outputs are packed into one data byte, with one bit per output. The statu s of the lowest output reference is contained in the least significant bit of the byte.

The contents of the eight Exception Status outputs are device specific.

Request

Response

Output Data 1 Byte 0x00 to 0xFF

Error

Exception code 1 Byte 01 or 04

Here is an example of a request to read the exception status:

Output Data 6D

(21)

In this example, the output data is 6D hex (0110 1101 binary). Left to right, the outputs are OFF–ON–ON–OFF–ON–ON–OFF–ON. The status is shown from the highest to the lowest addressed output.

ExceptionCode = 01 NO

YES ENTRY

ReadExceptionStatus == OK

YES Function code

supported

Request Processing

Figure 17: Read Exception Status state diagram

6.8 08 (0x08) Diagnostics (Serial Line only)

MODBUS function code 08 provides a series of tests for checking the communication system between a client device and a server, or for checking various internal error conditions within a server.

The function uses a two–byte sub-function code field in the query to define the type of test to be performed. The server echoes both the function code and sub -function code in a normal response. Some of the diagnostics cause data to be returned from the remote device in the data field of a normal response.

In general, issuing a diagnostic function to a remote device does not affect the running of the user program in the remote device. User logic, like discrete and registers, is not accessed by the diagnostics. Certain functions can optionally reset error counters in the remote device.

A server device can, however, be forced into ‘Listen Only Mode’ in which it will monitor the messages on the communications system but not respond to them. This can affect the outcome of your application program if it depends upon any fu rther exchange of data with the remote device. Generally, the mode is forced to remove a malfunctioning remote device from the communications system.

The following diagnostic functions are dedicated to serial line devices.

The normal response to the Return Query Data request is to loopback the same data. The function code and sub-function codes are also echoed.

Request

Sub-function 2 Bytes

Data N x 2 Bytes

(22)

Response

Sub-function 2 Bytes

Data N x 2 Bytes

Error

Exception code 1 Byte 01 or 03 or 04

6.8.1 Sub-function codes supported by the serial line devices

Here the list of sub-function codes supported by the serial line devices. Each sub -function code is then listed with an example of the data field contents that would apply for that diagnostic.

Sub-function code Name

Hex Dec

00 00 Return Query Data

01 01 Restart Communications Option 02 02 Return Diagnostic Register 03 03 Change ASCII Input Delimiter

04 04 Force Listen Only Mode

05.. 09 RESERVED

0A 10 Clear Counters and Diagnostic Register 0B 11 Return Bus Message Count

0C 12 Return Bus Communication Error Count 0D 13 Return Bus Exception Error Count 0E 14 Return Server Message Count 0F 15 Return Server No Response Count

10 16 Return Server NAK Count

11 17 Return Server Busy Count

12 18 Return Bus Character Overrun Count

13 19 RESERVED

14 20 Clear Overrun Counter and Flag N.A. 21 ... 65535 RESERVED

00 Return Query Data

The data passed in the request data field is to be returned (looped back) in the response. The entire response message should be identical to the request.

Sub-function Data Field (Request) Data Field (Response)

00 00 Any Echo Request Data

01 Restart Communications Option

The remote device serial line port must be initialized and restarted, and all of its communications event counters are cleared. If the port is currently in Listen Only Mode, no response is returned. This function is the only one that brings the port out of Lis ten Only Mode. If the port is not currently in Listen Only Mode, a normal response is returned. This occurs before the restart is executed.

When the remote device receives the request, it attempts a restart and executes its power–up confidence tests. Successful completion of the tests will bring the port online.

A request data field contents of FF 00 hex causes the port’s Communications Event Log to be cleared also. Contents of 00 00 leave the log as it was prior to the restart.

00 01 00 00 Echo Request Data

00 01 FF 00 Echo Request Data

02 Return Diagnostic Register

The contents of the remote device’s 16–bit diagnostic register are returned in the response.

00 02 00 00 Diagnostic Register Contents

(23)

03 Change ASCII Input Delimiter

The character ‘CHAR’ passed in the request data field becomes the end of message delimiter for future messages (replacing the default LF character). This function is useful in cases of a Line Feed is not required at the end of ASCII messages.

00 03 CHAR 00 Echo Request Data

04 Force Listen Only Mode

Forces the addressed remote device to its Listen Only Mode for M ODBUS communications.

This isolates it from the other devices on the network, allowing them to continue communicating without interruption from the addressed remote device. No response is returned.

When the remote device enters its Listen Only Mode, all ac tive communication controls are turned off. The Ready watchdog timer is allowed to expire, locking the controls off. While the device is in this mode, any MODBUS messages addressed to it or broadcast are monitored, but no actions will be taken and no responses will be sent.

The only function that will be processed after the mode is entered will be the Restart Communications Option function (function code 8, sub -function 1).

00 04 00 00 No Response Returned

10 (0A Hex) Clear Counters and Diagnostic Register

The goal is to clear all counters and the diagnostic register. Counters are also cleared upon power–up.

00 0A 00 00 Echo Request Data

11 (0B Hex) Return Bus Message Count

The response data field returns the quantity of messages that the remote device has detected on the communications system since its last restart, clear counters operation, or power–up.

00 0B 00 00 Total Message Count

12 (0C Hex) Return Bus Communication Error Count

The response data field returns the quantity of CRC errors encountered by the remote device since its last restart, clear counters operation, or power–up.

00 0C 00 00 CRC Error Count

13 (0D Hex) Return Bus Exception Error Count

The response data field returns the quantity of MODBUS exception responses returned by the remote device since its last restart , clear counters operation, or power–up.

Exception responses are described and listed in section 7 .

00 0D 00 00 Exception Error Count

14 (0E Hex) Return Server Message Count

The response data field returns the quantity of messages addressed to the remote device, or broadcast, that the remote device has processed since its last restart, clear counters operation, or power–up.

00 0E 00 00 Server Message Count

15 (0F Hex) Return Server No Response Count

(24)

The response data field returns the quantity of messages addressed to the remote device for which it has returned no response (neither a normal response nor an exception response), since its last restart, clear counters operation, or power–up.

00 0F 00 00 Server No Response Count

16 (10 Hex) Return Server NAK Count

The response data field returns the quantity of messages addressed to the remote device for which it returned a Negative Acknowledge (NAK) exception response, since its last restart, clear counters operation, or power–up. Exception responses are described and listed in section 7 .

00 10 00 00 Server NAK Count

17 (11 Hex) Return Server Busy Count

The response data field returns the quantity of messages addressed to the remote device for which it returned a Server Device Busy exception response, since its last restart, clear counters operation, or power–up.

00 11 00 00 Server Device Busy Count

18 (12 Hex) Return Bus Character Overrun Count

The response data field returns the quantity of messages addressed to the remote device that it could not handle due to a character overrun condition, since it s last restart, clear counters operation, or power–up. A character overrun is caused by data characters arriving at the port faster than they can be stored, or by the loss of a character due to a hardware malfunction.

00 12 00 00 Server Character Overrun Count

20 (14 Hex) Clear Overrun Counter and Flag

Clears the overrun error counter and reset the error flag.

00 14 00 00 Echo Request Data

6.8.2 Example and state diagram

Here is an example of a request to remote device to Return Query Data. This uses a sub - function code of zero (00 00 hex in the two–byte field). The data to be returned is sent in the two–byte data field (A5 37 hex).

Sub-function Hi 00 Sub-function Hi 00

Sub-function Lo 00 Sub-function Lo 00

Data Hi A5 Data Hi A5

Data Lo 37 Data Lo 37

The data fields in responses to other kinds of queries could contain error counts or other data requested by the sub-function code.

(25)

MB Server Sends mb_exception_rsp

EXIT ExceptionCode = 04

YES ENTRY

Diagnostic == OK

YES Function code supported

AND

Subfunction code supported

ExceptionCode = 03

Data Value == OK

NO

YES Request Processing

Figure 18: Diagnostic state diagram

6.9 11 (0x0B) Get Comm Event Counter (Serial Line only)

This function code is used to get a status word and an event count from the remote device's communication event counter.

By fetching the current count before and after a series of messages, a client can determine whether the messages were handled normally by the remote device.

The device’s event counter is incremented once for each successful message completion. It is not incremented for exception responses, poll commands, or fetch event counter commands.

The event counter can be reset by means of the Diagnostics function (code 08), with a sub - function of Restart Communications Option (code 00 01) or Clear Counters and Diagnostic Register (code 00 0A).

The normal response contains a two–byte status word, and a two–byte event count. The status word will be all ones (FF FF hex) if a previously–issued program command is still being processed by the remote device (a busy condition exists). Otherwise, the status word will be all zeros.

Request

Function code 1 Byte 0x0B

Response

Function code 1 Byte 0x0B

Status 2 Bytes 0x0000 to 0xFFFF

Event Count 2 Bytes 0x0000 to 0xFFFF

Error

Error code 1 Byte 0x8B

Here is an example of a request to get the communications event counter in remote device:

(26)

Function 0B Function 0B

Status Hi FF

Status Lo FF

Event Count Hi 01

Event Count Lo 08

In this example, the status word is FF FF hex, indicating that a program function is still in progress in the remote device. The event count shows that 264 (01 08 hex) events have been counted by the device.

YES ENTRY

GetCommEventCounter == OK

YES Function code

supported

Request Processing

Figure 19: Get Comm Event Counter state diagram

6.10 12 (0x0C) Get Comm Event Log (Serial Line only)

This function code is used to get a status word, event count, message count, and a field of event bytes from the remote device.

The status word and event counts are identical to that returned by the Get Communications Event Counter function (11, 0B hex).

The message counter contains the quantity of messages processed by the remote device since its last restart, clear counters operation, or power–up. This count is identical to that returned by the Diagnostic function (code 08), sub -function Return Bus Message Count (code 11, 0B hex).

The event bytes field contains 0-64 bytes, with each byte corresponding to the status of one MODBUS send or receive operation for the remote device. The rem ote device enters the events into the field in chronological order. Byte 0 is the most recent event. Each new byte flushes the oldest byte from the field.

(27)

The normal response contains a two–byte status word field, a two–byte event count field, a two–byte message count field, and a field containing 0-64 bytes of events. A byte count field defines the total length of the data in these four fields.

Request

Function code 1 Byte 0x0C

Response

Function code 1 Byte 0x0C

Byte Count 1 Byte N*

Status 2 Bytes 0x0000 to 0xFFFF

Event Count 2 Bytes 0x0000 to 0xFFFF

Message Count 2 Bytes 0x0000 to 0xFFFF

Events (N-6) x 1 Byte

*N = Quantity of Events + 3 x 2 Bytes, (Length of Status, Event Count and Message Count) Error

Error code 1 Byte 0x8C

Here is an example of a request to get the communications event log in remote device:

Function 0C Function 0C

Byte Count 08

Status Hi 00

Status Lo 00

Event Count Hi 01

Event Count Lo 08

Message Count Hi 01

Message Count Lo 21

Event 0 20

Event 1 00

In this example, the status word is 00 00 hex, indicating that the remote device is not processing a program function. The event count shows that 264 (01 08 hex) events have been counted by the remote device. The message count shows that 289 (01 21 hex) messages have been processed.

The most recent communications event is shown in the Event 0 byte. Its content (20 hex) show that the remote device has most recently entered the Listen Only Mode.

The previous event is shown in the Event 1 byte. Its contents (00 hex) show that the remote device received a Communications Restart.

The layout of the response’s event bytes is described below.

What the Event Bytes Contain

An event byte returned by the Get Communications Event Log function can be any one of four types. The type is defined by bit 7 (the high–order bit) in each byte. It may be further defined by bit 6. This is explained below.

 Remote device MODBUS Receive Event

The remote device stores this type of event byte when a query message is received. It is stored before the remote device processes the message. This event is defined by bit 7 set to logic ‘1’. The other bits will be set to a logic ‘1’ if the corresponding condition is TRUE. The bit layout is:

Bit Contents 0 Not Used

1 Communication Error 2 Not Used

3 Not Used

4 Character Overrun

(28)

5 Currently in Listen Only Mode 6 Broadcast Received

7 1

 Remote device MODBUS Send Event

The remote device stores this type of event byte when it finishes processing a request message. It is stored if the remote device returned a normal or exception response, or no response. This event is defined by bit 7 set to a logic ‘0’, with bit 6 set to a ‘1’. The other bits will be set to a logic ‘1’ if the corresponding condition is TRUE. The bit layout is:

Bit Contents

0 Read Exception Sent (Exception Codes 1-3) 1 Server Abort Exception Sent (Exception Code 4) 2 Server Busy Exception Sent (Exception Codes 5-6) 3 Server Program NAK Exception Sent (Exception Code 7) 4 Write Timeout Error Occurred

5 Currently in Listen Only Mode

6 1

7 0

 Remote device Entered Listen Only Mode

The remote device stores this type of event byte when it enters the Listen Only Mode.

The event is defined by a content of 04 hex.

 Remote device Initiated Communication Restart

The remote device stores this type of event byte when its communications port is restarted. The remote device can be restarted by the Diagnostics function (code 08), with sub-function Restart Communications Option (code 00 01).

That function also places the remote device into a ‘Continue on Error’ or ‘Stop on Error’ mode. If the remote device is placed into ‘Continue on Error’ mode, the event byte is added to the existing event log. If the remote device is placed into ‘Stop on Error’ mode, the byte is added to the log and the rest of the log is cleared to zeros.

The event is defined by a content of zero.

YES ENTRY

GetCommEventLog == OK

YES Function code

supported

Request Processing